[GitHub] [superset] suddjian commented on issue #18150: Markdown with iframe (Echart type - Big Number ) error: "Unexpected token < in JSON at position 0"

[GitBox <gi...@apache.org>]

suddjian commented on issue #18150:
URL: https://github.com/apache/superset/issues/18150#issuecomment-1021769509


   > In my case, I think it has something to do with legacy charts.
   
   That's exactly right, legacy charts use an older data endpoint that wasn't added to the CSRF excempt list.
   
   > However, I believe that it is not a good option to disable this CSRF protection.
   
   Also correct, disabling CSRF protection can open you up to XSS vulnerabilities.
   
   We ran into the same problem independently, and just merged a PR that changes the CSRF exempt list, here: https://github.com/apache/superset/pull/17530/files#diff-c99ae4b2b09b756ab2189a99a9685229f9d12633fc2616c368ea869770f603bfR202. The endpoint is safe to make exempt from CSRF, because although it is a `POST`, it does not alter any application state and can't be used for XSS attacks.
   
   I believe that commit should solve this issue, and the other related ones.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org